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Abstract — In  vehicular  ad  hoc  networks  (VANET),  it  is  possible 
to  locate  and  track  a  vehicle  based  on  its  transmissions,  during 
communication  with  other  vehicles  or  the  road-side  infrastruc¬ 
ture.  This  type  of  tracking  leads  to  threats  on  the  location  privacy 
of  the  vehicle’s  user.  In  this  paper,  we  study  the  problem  of 
providing  location  privacy  in  VANET  by  allowing  vehicles  to 
prevent  tracking  of  their  broadcast  communications.  We  first, 
identify  the  unique  characteristics  of  VANET  that  must  be 
considered  when  designing  suitable  location  privacy  solutions. 
Based  on  these  observations,  we  propose  a  location  privacy 
scheme  called  CARAVAN,  and  evaluate  the  privacy  enhancement 
achieved  under  some  existing  standard  constraints  of  VANET 
applications,  and  in  the  presence  of  a  global  adversary. 

1.  Introduction 

Vehicular  ad  hoc  networks  (VANET)  enable  vehicles  to 
communicate  among  themselves  (V2V  communications)  and 
with  road-side  infrastructure  (V2I  communications).  Such  net¬ 
works  present  various  functionalities  in  terms  of  vehicular 
safety,  traffic  congestion  reduction,  and  location  based  service 
(LBS)  applications.  Recognizing  the  potential  of  VANET, 
there  has  been  concerted  efforts  [1],  [2],  [3]  to  network 
vehicles.  However,  many  challenges  including  the  security  and 
privacy  issues  remain  to  be  addressed  [4],  [5],  [6]. 

The  unique  requirements  of  maintaining  liability  of  vehicles 
involved  in  accidents,  and  ensuring  the  safety  rendered  by 
the  communication  between  vehicles,  challenge  the  network 
connectivity,  privacy,  and  certain  security  aspects  (discussed 
later  in  Section  III-D)  in  VANET.  Moreover,  advances  in 
localization  and  tracking  techniques  enable  accurate  location 
estimation  and  tracking  of  vehicles  in  VANET.  By  tracking  a 
vehicle,  it  becomes  possible  to  identify  the  locations  visited  by 
the  vehicle,  thereby,  breaching  the  privacy  of  the  user  of  the 
vehicle.  Eurthermore,  the  location  tracking  information  about  a 
user  can  be  misused  by  an  adversary.  Additionally,  identifying 
the  LBS  applications  accessed  by  a  vehicle,  provides  private 
information  of  the  vehicle’s  user. 

In  this  paper,  we  address  the  problem  of  allowing  any 
vehicle  to  be  able  to  achieve  unlinkability  between  two  or  more 
of  its  locations  in  the  presence  of  tracking  by  an  adversary. 
Eor  developing  a  suitable  solution,  unlike  previous  approaches 
for  location  privacy  in  mobile  networks  (see  Section  V-C),  we 
account  for  the  constraints  posed  by  vehicular  mobility  and 
vehicular  applications  in  VANET  (see  Section  II-D). 

Contributions  of  this  paper  are  the  following.  (1)  We  identify 
that  the  group  navigation  of  vehicles  can  be  used  for  providing 
location  privacy  in  VANET.  (2)  We  propose  a  location  privacy 
scheme  called  CARAVAN,  that  combines  the  group  navigation 
with  a  random  silent  period  enhancement  technique,  to  miti¬ 
gate  tracking  of  a  vehicle.  (3)  We  leverage  the  group  to  provide 
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Fig.  1.  Illustration  of  inter- vehicle  communication  and  the  components 
involved.  The  circles  indicate  communication  between  the  enclosed  nodes. 

anonymous  access  to  LBS  applications,  and  show  when  such 
a  solution  can  preserve  a  vehicle  user’s  privacy. 

The  rest  of  the  paper  is  organized  as  follows.  Section 
II  describes  the  VANET  system  model  and  the  adversary 
model  considered,  and  presents  the  unique  constraints  of 
VANET.  Section  III  describes  the  proposed  location  privacy 
enhancement  scheme.  Section  IV  evaluates  the  performance 
of  the  proposed  solution.  Section  V  covers  the  related  work, 
and  Section  VI  presents  our  conclusions. 

II.  System  Model 

A.  VANET  System  Model  and  Assumptions 

Eig.  1  illustrates  a  typical  VANET  that  consists  of  vehicles, 
access  points  on  road  side,  and  a  collection  of  location  servers. 
Vehicles  move  on  roads,  sharing  collective  environmental 
information  between  themselves,  and  with  the  servers  via 
access  points. 

Eig.  2  illustrates  a  detailed  view  of  our  system  model.  A 
vehicle  is  enabled  with  on-board  communication  unit  for  V2V 
and  V2I  communications,  and  sensor  (for  example,  GPS)  and 
database  units  to  collect  environmental  information  (for  exam¬ 
ple,  location,  vehicle  speed,  tire  pressure).  The  communication 
unit  of  the  access  points  are  called  Road  Side  Units  (RSU), 
which  are  connected  to  location  server  by  a  wired  network. 
The  location  server  records  all  the  location  data  forwarded  by 
the  RSUs,  and  processes  the  data  together  with  information 
from  other  data  sources  for  example,  vehicle  manufacturers, 
police,  traffic  management  center,  weather  information  center. 
The  location  server  also  provides  an  interface  for  the  location 
based  Service  Providers  (SP).  In  addition,  a  trusted  Registra¬ 
tion  Authority  (RA)  provides  authentication  and  authorization 
service  to  both  vehicles  and  LBS  providers. 

As  in  [2],  [5],  we  assume  that  a  suitable  public  key 
infrastructure  is  available  in  the  VANET.  Before  joining  the 
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Fig.  2.  Illustration  of  an  inter-vehicle  communication  system. 

VANET,  each  vehicle  registers  with  the  trusted  RA.  We  also 
assume  that  each  LBS  service  provider  registers  with  the 
RA,  and  obtains  a  public/private  key  pair.  During  registration, 
each  vehicle  i  is  pre-loaded  with  a  set  of  w  pseudonyms 
{P/A,fc}fc=i/  a  public/private  key  pair  Kp^o. 

and  a  corresponding  public  key  certificate  signpAiKpio. 
for  each  pseudonym  PIDik-  Each  vehicle  also  registers  for 
any  location  based  service  application  that  is  of  interest.  We 
assume  that  only  the  trusted  RA  knows  the  link  between 
the  real  identity  of  the  vehicle  and  its  associated  set  of 
pseudonyms.  All  communications  from  a  vehicle  must  contain 
one  of  its  w  pseudonyms  as  the  source  address. 

B.  Trust  Assumptions  and  Adversary  Model 

We  assume  that  the  registration  authority  (RA)  is  a  trusted 
entity  in  our  model,  as  shown  in  Eig.  2.  The  infrastructure 
including  the  RSUs  and  the  location  server  are  only  semi- 
trusted^  to  operate  as  expected.  We  additionally,  assume  that 
the  RSUs  are  able  to  estimate  location  of  a  vehicle  based  on 
the  vehicle’s  transmission  signal. 

In  our  model,  we  assume  a  global  passive  adversary.  Such 
an  adversary  is  able  to  overhear  all  the  broadcasts  of  all  the 
vehicles,  and  hence,  able  to  estimate  their  locations. 

C.  Application  Scenarios  Considered 

We  consider  three  typical  classes  of  VANET  applications, 
cooperative  driving,  probe  vehicle  data,  and  location  based 
service  (LBS)  in  this  paper.  In  the  cooperative  driving  appli¬ 
cation,  adequate  equipped  vehicles  maintain  a  very  short  sep¬ 
aration  (intra-convoy  spacing)  between  each  other  and  move 
smoothly  with  the  same  pre-defined  speed  (convoy  speed). 
These  vehicles  communicate  with  each  other  frequently  either 
directly  or  via  communication  equipments  on  road  side.  Eor 
example,  in  a  prototype  for  cooperative  driving  in  [7],  vehicles 
broadcast  their  status  information  (e.g.  speed,  location,  accel¬ 
eration)  every  500  ms.  The  advantage  of  cooperative  driving 
is  the  increase  in  both  safety  and  highway  capacity  resulting 
from  the  automation  and  close  coordination  of  vehicles. 

*The  notation  used  throughout  the  paper,  is  in  Table  II  in  the  Appendix, 
semi-trusted  entity  operates  as  expected,  but,  can  still  reveal  data  it 
obtains  during  operation. 


The  probe  vehicle  data  represents  a  class  of  V2I  communi¬ 
cation  based  applications  that  monitor  traffic  and  road  condi¬ 
tions  by  collecting  information  from  vehicles  that  are  equipped 
with  short  range  radio  (e.g.  DSRC,  802.1  Ip)  or  existing  long- 
range  communication  devices  (e.g.  cellular  network).  Vehicle 
probe  data  may  include  vehicle  identity,  route  segment  identity, 
link  time  and  location,  the  operational  status  of  the  probe 
vehicle  equipment,  and  any  other  data  that  can  be  measured 
and  communicated  by  the  vehicles.  The  RSU  sends  probe  data 
requests  over  a  capture  range  [8],  and  vehicles  in  the  capture 
range  reply  to  the  requests.  The  period  between  broadcasts 
of  probe  replies  from  vehicles  depends  on  the  requirement  of 
applications.  Eor  example,  according  to  [9],  a  typical  broadcast 
interval  of  probe  data  for  real  time  congestion  estimation  is 
three  minutes  when  probe  car  volume  is  1  vehicle/min. 

LBS  applications  have  been  proposed  for  mobile  networks. 
These  applications  obtain  and  make  use  of  the  most  recent 
location  of  a  mobile  node,  in  order  to  provide  a  requested 
service  [10].  Eor  example,  the  service  may  be  a  query  by  a 
vehicle  to  find  the  nearest  shopping  mall  to  its  current  location. 

In  the  next  section,  we  identify  various  constraints  of  ve¬ 
hicular  networks  that  are  applicable  to  the  problem  addressed 
in  this  paper. 

D.  Relevant  Constraints  of  VANET 

VANET  poses  constraints  such  as  in  mobility  of  vehicles, 
and  in  safety  application  requirements.  The  mobility  of  vehi¬ 
cles  can  be  observed  to  have  the  following  unique  characteris¬ 
tics:  (1)  The  movement  of  vehicles  is  spatially  restricted.  Eor 
example,  as  illustrated  in  Eig.  1,  the  movement  of  vehicles  is 
restricted  to  be  in  lanes,  in  both  streets  and  freeways.  (2)  The 
vehicles  are  spatially  dependent  on  each  other  in  movement. 
Eor  example,  as  illustrated  in  Eig.  1,  a  succeeding  vehicle  A 
(following)  must  keep  a  minimum  safety  distance  [11]  from  a 
preceding  vehicle  B  (being  followed). 

The  safety  applications,  as  described  in  Section  II-C,  impose 
constraints  in  terms  of  the  maximum  period  between  two  safety 
message  broadcasts  in  cooperative  driving,  and  maximum  pe¬ 
riod  between  two  replies  in  probe  data.  Therefore,  overall,  any 
location  privacy  enhancement  scheme  designed  for  VANET 
must  take  into  account  these  unique  constraints. 

In  addition  to  the  above  constraints,  VANET  presents 
requirements  for  vehicle  liability  and  safety.  In  the  event 
of  an  accident,  all  the  liable  vehicles  involved  need  to  be 
verifiably  identified.  Therefore,  to  ensure  vehicle  liability,  the 
safety  messages  from  any  vehicle  must  contain  verifiable 
identification  information.  Eurthermore,  for  ensuring  vehicle 
safety,  the  safety  messages  must  be  authentic. 

III.  Proposed  Location  Privacy  Scheme  eor  VANET 

In  this  section,  we  present  CARAVAN,  the  proposed  loca¬ 
tion  privacy  scheme  for  VANET,  and  describe  the  enhancement 
techniques  that  constitute  CARAVAN. 

A.  Use  of  Silent  Period  to  Provide  Unlinkability  Between 
Locations 

In  order  to  achieve  unlinkability  between  two  locations 
a  vehicle  can  simply  update  its  pseudonym.  However,  as 
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Vehicle  with  pseudonym  Target  with  observed 

B  broadcasts  with  pseudonym  A 


Fig.  3.  Illustration  of  the  effect  of  random  silent  period  when  used  by  a 
vehicle  during  network  join.  A  target  vehicle  entering  the  network,  broadcasts 
with  pseudonym  A,  and  then  goes  into  silence.  If  a  neighboring  vehicle 
updates  its  pseudonym  from  B  to  B'  during  this  silent  period,  then  an 
adversary  can  be  misled  to  consider  pseudonym  B'  (and  hence,  the  associated 
neighbor  vehicle’s  location)  to  be  that  of  the  target  vehicle,  provided  the  target 
vehicle  updates  to  A!  before  its  next  broadcast. 


observed  in  [12],  despite  pseudonym  update,  it  is  still  possible 
to  link  the  new  and  old  pseudonyms  of  a  node  using  temporal 
and  spatial  relation  between  the  new  and  old  locations  of  the 
node.  As  a  solution  the  use  of  a  random  silent  period  between 
update  of  pseudonyms  was  proposed  in  [12].  We  make  use  of 
silent  period  to  provide  unlinkability  to  a  vehicle  entering  the 
network,  by  enforcing  that  the  vehicle  will  remain  silent  for  a 
randomly  chosen  period  of  time. 

Fig.  3,  illustrates  the  scenario  where  a  target  vehicle  enters 
a  network,  remains  silent,  updates  its  pseudonym  from  A  to 
A' ,  and  broadcasts  with  A'  after  a  random  silent  period.  If  one 
of  the  neighboring  vehicles  also  updates  is  pseudonym  from 
B  to  B',  during  this  silent  period,  then  the  adversary  can  be 
misled  to  track  the  neighboring  vehicle  as  the  target. 

However,  as  discussed  in  Section  II-D,  if  the  vehicles  in 
VANET  need  to  periodically  broadcast  a  safety  message 
for  cooperative  navigation,  then  the  period  between  safety 
message  broadcasts  will  be  the  maximum  time  between  two 
broadcasts  from  a  vehicle.  Therefore,  when  evaluating  the 
achievable  level  of  anonymity  for  a  vehicle,  the  time  and 
distance  between  observations  of  the  vehicle’s  new  and  old 
pseudonyms,  must  be  bounded  by  this  period.  Consequently, 
the  maximum  silent  period  will  be  limited  to  the  fixed  value 
of  the  period  between  safety  message  broadcasts.  With  only 
a  small  and  fixed  value  (order  of  hundred  millisecs)  for  silent 
period,  it  is  possible  to  track  vehicles  in  some  cases,  based 
on  temporal  relation  between  locations  [12].  The  achievable 
anonymity  enhancement  with  constrained  values  for  silent 
period  is  evaluated  later  in  Section  IV-D. 

On  the  other  hand,  for  VANET  applications  such  as  vehicle 
probe  data,  that  need  relatively  less  frequent  broadcasts,  we 
are  able  to  provide  a  sufficient  level  of  anonymity,  by  making 
use  of  the  random  silent  period  technique,  as  will  be  shown 
later  in  Section  IV-E. 


B.  Use  of  Group  Concept  to  Avoid  Overhearing  Pseudonyms 

We  make  the  following  observations  that  motivate  the  group 
concept  applied  in  our  solution. 

1)  Vehicles  in  geographical  proximity  often  share  redun¬ 
dant  information  such  as  road  and  traffic  conditions. 
Hence,  in  V2I  based  applications,  such  as  probe  vehicle 
data,  where  the  vehicles  respond  to  requests  received 
from  the  infrastructure,  not  all  vehicles  need  to  send 
replies. 

2)  As  observed  in  Section  II-D,  the  mobility  of  vehicles 
is  spatially  restricted  and  spatially  dependent.  Hence, 
vehicles  in  geographical  proximity  can  navigate  as  a 
group,  with  the  same  average  velocity  due  to  the  spatial 
dependency,  and  with  similar  direction  due  to  the  spatial 
restrictions,  over  a  period  of  time. 

We  make  use  of  the  above  observations,  and  propose  to 
enable  vehicles  to  form  a  group.  In  order  to  form  a  group,  we 
restrict  the  vehicles  to  be  in  a  group  if  each  group  member  can 
hear  broadcasts  of  every  other  group  member.  Since  vehicles 
in  a  group  will  move  relative  to  each  other,  and  on  average 
have  the  same  velocity,  a  group  can  be  represented  by  a  single 
vehicle  that  we  refer  to  as  the  group  leader.  Then  for  most 
of  the  V2I  communication  based  VANET  applications,  it  is 
sufficient  if  only  the  group  leader  communicates  on  behalf  of 
the  group.  Consequently,  the  remaining  vehicles  in  the  group 
are  able  to  remain  silent  for  an  extended  period  of  time  that 
is  bounded  by  the  time  they  remain  in  the  group. 

As  discussed  in  the  previous  section,  an  extended  silent 
period  can  enhance  the  location  privacy  provided  to  a  vehicle. 
Therefore,  for  VANET  applications  not  requiring  all  vehicles 
to  broadcast,  i.e.  for  applications  not  requiring  very  frequent 
safety  message  broadcasts  from  the  vehicles,  we  can  increase 
level  of  anonymity  by  employing  groups. 

We  consider  the  probe  vehicle  data  application,  where 
typically,  the  vehicles  send  probe  replies  once  in  several  tens 
of  seconds.  By  using  vehicular  groups,  we  offer  the  following 
benefits:  (1)  The  silent  period  of  a  group  member  vehicle 
is  extended,  if  the  vehicle  does  not  change  group  between 
two  probe  data  requests.  (2)  Unnecessary  overhead  and  re¬ 
dundancy  of  the  neighboring  vehicles  broadcasting  possibly 
redundant  probe  data  is  reduced,  since  only  the  group  leader 
replies  to  the  RSU  with  probe  data.  (3)  A  reduced  number  of 
pseudonym  updates  (and  hence,  the  number  of  pseudonyms) 
are  needed  to  provide  the  same  level  of  anonymity  achieved 
when  the  vehicle  updates  after  every  broadcast. 

However,  for  safety  applications  such  as  cooperative  driv¬ 
ing,  where  all  vehicles  broadcast  at  a  high  frequency,  the 
group  benefits  are  not  fully  realizable.  This  is  because,  (1) 
the  extension  of  silent  period  is  not  possible  above  the  safety 
message  broadcast  period,  (2)  each  vehicle  must  broadcast  its 
location,  speed,  and  other  spatial  parameters  for  safety,  as 
well  as  to  maintain  liability.  Hence,  under  the  performance 
bottleneck  of  the  small  safety  broadcast  period,  the  advanta¬ 
geous  applicability  of  vehicular  group  in  mitigation  of  tracking 
is  limited.  Nevertheless,  vehicular  groups  can  be  leveraged 
to  defend  against  threats  on  privacy  when  accessing  LBS 
applications.  We  describe  this  advantage  of  the  group  below. 


4 


Untrusted  entity 


Fig.  4.  Illustration  of  the  anonymous  access  to  LBS  application  provided  to 
a  vehicle  i  which  is  member  of  the  group  Gj  with  the  group  leader  vehicle 
being  GLj .  The  sequence  of  steps  in  the  protocol  are  indicated  in  the  figure. 

C.  Leveraging  Group  to  Provide  Unlinkability  Between 
Pseudonym  and  LBS  Application 

A  global  adversary  can  in  certain  scenarios,  successfully 
link  a  vehicle  pseudonym  with  the  real  identity  of  the  vehicle 
and  hence,  its  user.  For  instance,  a  user  might  broadcast 
using  a  pseudonym,  but  is  located  in  a  geographical  area 
that  can  be  associated  with  its  real  identity.  When  the  user 
accesses  an  LBS  application  in  such  an  identifiable  area,  it 
then  becomes  possible  for  the  global  adversary  to  identify  the 
LBS  application  accessed  by  the  user.  Such  information  can 
lead  to  the  privacy  breach  of  the  user. 

The  use  of  group,  enables  us  to  provide  a  solution  to 
the  above  problem  by  removing  the  linkability  between  a 
vehicle’s  pseudonym  and  the  LBS  application  accessed  by  it. 
The  vehicle  accessing  the  LBS  application  can  make  use  of  the 
group  leader  as  a  proxy  for  anonymous  access.  We  describe 
this  anonymous  access  protocol  below. 

1)  Protocol  description:  Fig.  4  shows  the  anonymous  ac¬ 
cess  protocol  and  the  steps  involved.  Upon  receiving  the 
application  request  from  vehicle  i  (in  Step  1),  the  group  leader 
GLj  of  z’s  group  Gj  forwards  the  request  with  its  own  address, 
to  the  registration  authority  RA  via  the  RSU  (in  Step  2-3). 
The  RA  validates  the  application  request,  and  then  provides 
a  session  key  kx,i  to  both  the  service  provider  (SPx)  and 
vehicle  i  (Step  4-7).  This  key  is  used  to  encrypt  the  entire 
communication  that  takes  place  between  i  and  the  SPx-  GLj 
broadcasts  the  communication  received  from  SPx  (via  RSU) 
to  the  group  (Step  8). 

On  termination  of  the  application,  the  SPx  as  well  as  vehicle 
i  provide  the  transaction  details  to  the  RA,  which  acts  as  the 
arbitrator  and  resolves  any  disputes.  We  note  that  in  order 
to  lower  the  load  of  the  RA,  anonymous  payment  based 
protocols  such  as  [13],  can  be  used  in  the  LBS  application 
access.  However,  we  do  not  provide  such  a  payment  scheme 
here,  since  it  is  out  of  scope  of  this  paper.  Due  to  space 
constraints,  we  provide  the  LBS  anonymous  access  protocol 
in  the  Appendix,  with  the  other  group  protocols. 


2 )  Group  Key  and  Application  Address  Range:  In  generat¬ 
ing  the  application  request,  vehicle  i  performs  the  following 
two  steps:  (1)  randomly  chooses  an  available  address  Aaa 
from  a  known  application  address  range  of  the  group  Gj,  (2) 
broadcasts  the  application  request  encrypted  with  the  group 
key  kc  and  with  Aaa  as  source  address.  The  group  key  and 
the  address  range  are  obtained  by  the  group  members  of  Gj 
from  GLj,  when  joining  the  group  (see  Group  Join  protocol 
in  Appendix).  These  two  parameters  prevent  trace  back  from 
GLj  to  i.  Since  the  random  address  Aaa  is  not  associated  with 
vehicle  i,  the  application  request  from  i  cannot  be  associated 
with  any  of  its  pseudonym.  This  particular  feature  allows  the 
vehicle  i  to  access  the  LBS  application  even  in  any  identifiable 
area,  while  also  simultaneously  broadcasting  safety  messages 
with  its  pseudonym  PIDi  k-  The  group  key  ka  on  the  other 
hand,  prevents  tracing  i  based  on  the  format  of  application 
request  message  that  is  broadcast  to  GLj  in  Step  1  of  the 
protocol. 

Nevertheless,  since  a  global  adversary  can  overhear  all 
broadcasts,  it  can  trace  the  vehicle  i,  by  relating  the  location 
of  the  overheard  application  request  broadcast  sent  from  i  to 
GLj,  with  the  more  frequent  safety  message  broadcasts  by 
i.  Therefore,  in  order  to  address  this  weakness  we  propose 
following  enhancements  by  making  the  group  leader  GLj 
function  as  a  MIX  [14].  (1)  Removing  order  of  arrival  in¬ 
formation  of  the  requests.  On  receiving  application  request 
from  i,  GLj  waits  for  one  or  more  requests  to  be  received 
from  other  vehicles  in  the  group  Gj.  The  requests  are  then 
forwarded  to  the  RSU  in  a  random  order  (hence,  removing  the 
order  of  arrival  information).  Therefore,  the  application  appx 
accessed  by  vehicle  i  cannot  be  linked  to  it.  However,  if  all  the 
vehicles  access  the  same  appx  then  vehicle  i  can  be  linked  to 
appx.  (2)  Removing  appearance  information  of  the  request.  If 
group  key,  ka  ,  is  used  to  encrypt  communications  apart  from 
application  requests,  then  the  RSU  is  not  able  to  differentiate 
the  request  for  appx  based  on  an  encrypted  broadcast,  from 
the  other  group  communications.  Further,  since  Aaa  c™  be 
differentiated  by  the  global  adversary,  to  be  a  new  address  in 
the  group,  only  if  at  least  one  other  group  member  updates  its 
pseudonym,  the  tracing  of  vehicle  i  can  be  prevented. 

In  the  following  section,  we  address  the  different  attacks  on 
the  proposed  scheme,  and  we  suggest  suitable  solutions. 

D.  Discussion  of  Attacks  and  Solutions  for  Proposed  Scheme 

1)  Injecting  false  data:  A  compromised  vehicle  in  the 
VANET  can  misbehave  and  broadcast  incorrect  data,  with  the 
malicious  intent  of  attacking  its  neighboring  vehicles.  How¬ 
ever,  since  each  vehicle  signs  the  broadcast  safety  messages, 
the  identity  of  any  misbehaving  vehicle  can  be  verifiably 
determined.  Nevertheless,  in  order  to  prevent  such  attacks 
on  vehicle  safety,  each  vehicle  must  be  able  to  detect  incor¬ 
rect/malicious  safety  messages.  In  [15],  a  scheme  is  proposed 
to  enable  each  vehicle  to  determine,  based  on  its  neighborhood 
observations,  the  validity  of  the  data  received. 

2 )  Local  active  attacker:  If  the  group  leader  colludes  with 
the  adversary,  then  the  anonymity  of  the  vehicle  accessing  the 
LBS  application  can  be  breached  under  the  global  adversary 
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model.  For  instance,  in  order  to  link  a  vehicle  i  to  the  LBS 
application  accessed,  a  compromised  group  leader  can  mix  the 
application  requests  using  an  adversary-known  deterministic 
permutation  (instead  of  mixing  the  requests  randomly  as 
described  in  Section  III-C.2).  The  RSU  locates  vehicle  i 
from  its  broadcast  to  GLj,  and  the  global  adversary  upon 
observing  the  order  of  the  service  providers  accessed,  can 
identify  that  vehicle  i  is  requesting  the  application  app^  from 
SPx-  We  suggest  two  defense  mechanisms  against  attacks  by 
a  compromised  group  leader.  For  the  attack  described  above, 
we  propose  the  use  of  verification  of  mixing  to  ensure  that 
a  random  permutation  is  used  by  the  group  leader  in  mixing 
the  LBS  requests.  Any  verified  incorrect  mixing  will  allow 
the  group  members  (including  i)  to  detect  that  the  GLj  is 
corrupt.  A  second  defense  mechanism  is  the  group  leader 
rotation  protocol  (in  Appendix),  that  restricts  attacks  by  the 
compromised  GLj  to  only  a  certain  rotation  period.  Further, 
the  election  of  the  group  leader  is  randomized  to  address 
any  collusion  between  the  leader  and  a  group  member.  Apart 
from  defending  against  attacks,  the  leader  rotation  enables  fair 
provision  of  privacy  to  group  members,  by  sharing  the  leader 
role  amongst  them.  Due  to  space  limitations,  these  attacks  and 
defense  mechanisms  will  be  analyzed  in  our  future  work. 

3 )  Impersonation  attack:  In  the  proposed  scheme,  a  vehicle 
cannot  use  a  random  pseudonym,  since  it  must  include  the 
associated  certificate  from  the  RA  in  the  safety  messages 
(see  Cooperative  Navigation  protocol  in  Appendix).  But,  a 
vehicle  may  still  try  to  impersonate  another  vehicle  i  by  using 
its  overheard  pseudonym.  However,  since  each  vehicle  signs 
the  broadcast  safety  messages,  in  order  to  impersonate  i  the 
corresponding  private  key  of  i  must  be  obtained.  Therefore, 
impersonation  attacks  can  be  avoided  in  VANET.  Such  defense 
mechanisms  have  been  considered  in  [4],  [5]. 

IV.  Evaluation  of  VANET  Location  Privacy 

In  this  section,  we  first  describe  potential  tracking  methods 
that  can  be  employed  to  link  two  locations  of  a  vehicle. 

A.  Tracking  of  Vehicles 

1)  Simple  tracking:  In  this  method,  the  adversary  obtains 
the  target  vehicle’s  location  Iknown  and  speed  at  time  t, 
and  then  estimates,  based  on  possible  movement  directions,  a 
reachable  area  Ar  around  Iknown,  in  which  the  vehicle’s  actual 
location  li  at  a  future  time  ti  can  lie.  Eig.  5(a),  illustrates  the 
simple  tracking  of  a  vehicle,  and  shows  the  reachable  area 
of  the  vehicle  determined  by  the  achievable  speed  and  silent 
period  ranges. 

2)  Correlation  tracking:  As  illustrated  in  Eig.  5(b),  in 
correlation  tracking,  the  adversary  uses  a  vehicles  last  known 
location  Iknown,  Speed,  and  direction  at  time  t  to  estimate 
the  entity’s  location  lesti  at  a  future  time  ti.  The  estimation 
is  repeated  till  the  maximum  silent  period  is  reached. 

Note  that  in  both  the  tracking  methods,  we  assume  that 
the  restricted  mobility  of  vehicles  prevents  them  from  taking 
certain  directions.  Before  evaluating  the  anonymity  under  the 
tracking  methods  by  simulation,  we  first  analytically  evaluate 
the  level  of  anonymity  that  can  be  achieved  under  the  simple 
tracking  method. 


B.  Analytical  Evaluation  of  Anonymity 

We  use  two  performance  measures  to  evaluate  the  level  of 
anonymity  (unlinkability)  achieved  in  a  VANET;  (i)  the  size  of 
the  anonymity  set  (ii)  the  maximum  tracking/identifiable  time. 
Anonymity  set  was  introduced  by  Chaum  [16],  and  the  size 
of  anonymity  set  was  shown  to  be  a  good  indicator  of  how 
much  anonymity  is  provided.  The  anonymity  set  of  a  target, 
denoted  by  Sa,  is  defined  as  the  set  of  pseudonyms  that  are 
indistinguishable  from  the  target  pseudonyms  to  an  adversary, 
and  the  set  includes  the  target  pseudonyms  themselves.  The 
size  of  anonymity  set,  denoted  by  |S'yi|,  depends  on  the 
knowledge  and  the  tracking  method  of  an  adversary.  The 
second  measure,  maximum  tracking  time  of  a  target,  denoted 
by  Ttrack,  is  defined  as  the  maximum  cumulative  time  that  the 
size  of  anonymity  set  of  the  target  remains  as  one. 

We  assume  that  vehicles  are  uniformly  distributed  on  city 
streets  or  freeways  with  density  p.  Although  uniform  density 
neglects  the  constraints  imposed  by  the  street  layout,  Seskar 
et  al  [17]  showed  that  uniform  distribution  is  sufficient  for 
estimation  of  vehicles  crossing  cell  boundaries  in  mobile 
cellular  networks,  when  the  street  layout  is  not  symmetric 
and  the  velocities  and  densities  are  properly  related.  In  our 
simulation,  we  assume  that  the  arrival  rate  and  the  departure 
rate  of  vehicles  are  the  same.  Therefore,  the  total  number  of 
vehicles  in  the  vehicular  network  deployment  region,  denoted 
by  N,  remains  the  same  statistically,  as  does  the  density  of 
vehicles. 

Given  vehicles  are  uniformly  distributed,  the  number  of 
vehicles  in  area  A,  denoted  by  n{A),  distributes  according  to 
spatial  Poisson  process  as  [18]:  Pr{h'{A)  =  i}  =  e~P^, 

with  average  as  pA. 

Suppose  that  a  global  adversary  is  tracking  a  target  by 
overhearing  the  broadcast  of  the  target,  and  is  using  the  simple 
tracking  method.  The  duration  between  each  broadcast  can  be 
regarded  as  silent  period,  denoted  by  speriod.  We  first  con¬ 
sider  the  scenario  that  every  vehicle  will  use  a  new  pseudonym 
in  each  broadcast.  The  reachable  area  of  the  target  from  its 
last  transmission,  denoted  by  Ar,  is  the  half  ring  bounded  by 
the  road/lane  layout,  as  shown  in  Pig.  5(a).  Any  vehicle  that 
appears  in  the  reachable  region  with  a  new  pseudonym  is  a 
possible  candidate  for  the  target  to  the  adversary.^  Given  that 
there  is  at  least  one  vehicle,  the  target,  in  the  reachable  region 
Ar,  the  probability  that  the  target  can  be  uniquely  identified 
at  each  transmission,  denoted  by  ptrack,  is: 

Ptrack  =  Pr{n{Ar)  =  l\u{Ar)  >  1} 

_  PriujAr)  =  1}  _  pAre^~P^’-'> 

1  —  Pr{i'{Ar)  =  0}  1  —  e~P^^ 

The  expected  maximum  tracking  time  is: 

OO 

E{Ttrack}  =  -  Ptrack) E {speriod} 

E{speriod} 

1  Ptrack 

^We  assume  that  vehicles  periodically  broadcast  around  the  same  time,  then 
the  number  of  vehicles  in  the  reachable  area  of  the  target  will  be  the  number  of 
new  pseudonyms  in  its  anonymity  set.  We  also  note  that  an  adversary  cannot 
distinguish  vehicles  based  on  the  order  of  broadcast  due  to  random  access. 
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LANE  1 


LANE  2 


LANE  3 


LANE1 


LANE  2 


LANE  3 


(a)  Simple  Tracking  of  Vehicles 


(a)  Correlation  Tracking  of  Vehicles 


Fig.  5.  Illustration  of  simple  tracking  and  correlation  tracking  of  vehicles.  SminiSmax  are  the  minimum  and  maximum  speed  limits,  and, 
speriodmin  1  speriodmax  are  the  minimum  and  maximum  silent  period  values,  respectively.  The  reachable  area  is  defined  by  the  minimum  reachable 
distance  dmin  and  maximum  reachable  distance  dmax,  where  dmin  =  Smin  x  speriodmin^  dmax  =  Smax  x  speriodmax-  Location  lesti  is  estimated 
at  time  ti,  using  the  observed  velocity  of  vehicle  at  last  known  position  Iknown  at  time  t,  where  ti  £  [t  speriodmin-,  f  +  speriodmax]-  Since  vehicles 
tend  to  not  change  direction  frequently,  they  become  more  susceptible  to  correlation  tracking,  as  shown  in  the  evaluation. 


The  expected  size  of  anonymity  set  of  a  target  is: 


The  average  size  of  an  anonymity  set  is: 


E{\Sa\}  =  EMAr)HAr)>l} 

^  E{l^{Ar)}  ^  pAr 

1  -  Pr{iy{Ar.)  =  0}  1  -  e-P^- '  ^ 

Next,  we  consider  the  case  that  a  vehicle  will  update  its 
pseudonym  with  probability  <  1  at  each  broadcast.  In  this 
scenario,  the  anonymity  set  of  the  target  equals  to  I  for  I  >  2,if 
and  only  if  (i)  the  target  updates  its  pseudonym,  and  (ii)  there 
are  ^  —  1  other  vehicles  updating  their  ID’s,  out  of  i'{Ar)  —  1 
vehicles,  which  is  the  number  of  vehicles  in  Ar  excluding  the 
target.  Given  the  number  of  vehicles  in  Ar,  the  number  of 
vehicles  broadcasting  with  new  ID’s  is  Binomial  distributed. 
For  I  >  2: 


Pr{\SA\  =  l} 


N 


=  ^Pr{\SA\  =  lW{Ar)  =  i}Pr{u{Ar)  =  i\iy{Ar)  >  1} 


N 


j!(1  _  g-pAr^  ■ 


The  probability  ptrack^  when  the  pseudonym  update  proba¬ 
bility  of  each  vehicle  is  pu,  is: 


Ptrack{Pu) 

N 

=  l-J2Pr{\SA\  =  l}  (4) 

1^2 
N  N 

=  i-EE 

1=2  i=l 

Then  we  can  apply  the  above  ptrack{Pu)  into  Eq.  (2)  to  obtain 
the  expected  maximum  tracking  time. 


z  —  i 
I  -  1 


Pt  _  „  Ui-i)  e 


(p«)  (1  -p«) 


i\(t  -  p-pAr\  ■ 


E{\Sa\  for  given  pu} 

N  N 

=  y]  /  •  Pr{\SA\  =  1}  +  1-{1-J2  M\Sa\  =  ;}) 
1^2  1^2 

N 

=  l  +  y]a-l)Pr{|5A|  =  l}.  (5) 

1=2 

Letting  p„  =  1,  it  is  easy  to  verify  that  Eq.  (4)  and  (5) 
reduce  to  Eq.  (1)  and  (3),  respectively. 

C.  Simulation  Setup 

In  order  to  simulate  the  mobility  of  vehicles  in  vehicular 
networks,  we  consider  two  maps  for  the  vehicles  to  move:  (1) 
Freeway,  and  (2)  Street  with  intersections.  Eor  the  freeway, 
we  simulate  a  4-lane  road,  with  each  lane  of  length  5  km, 
and  with  vehicles  moving  in  only  one  direction.  Eor  the  street 
map,  we  randomly  generate  a  network  of  intersecting  streets 
on  a  uniform  2  km  x  2  km  grid,  with  streets  separated  by 
0.5  km.  We  only  consider  two  types  of  streets:  (a)  two  lane, 
one-way,  and  (b)  two-lane,  two-way.  The  lane  separation  in 
both  the  freeway  and  the  street  model  is  3  meters. 

The  mobility  of  vehicles  is  governed  by  the  following 
features:  (1)  Car  following  model  [11]  which  controls  the 
speed  and  distance  of  a  succeeding  vehicle,  by  making  it  to 
keep  a  safety  distance  (20  meters  for  freeway,  and  10  meters 
for  street)  from  the  preceding  vehicle  for  a  certain  tolerance 
time,  and  then  change  lane  if  possible.  (2)  Changing  lane 
model,  which  allows  the  vehicle  to  move  to  an  adjacent  lane 
if  there  is  space  in  that  lane,  i.e.  if  there  is  no  vehicle  within 
safety  distance  of  the  position  taken  when  changing  lane. 

Eor  the  street  model,  we  do  not  account  for  any  intersection 
behavior,  in  terms  of  traffic  lights  or  stop  signs.  However,  at 
every  intersection,  we  incorporate  random  mobility  by  making 
each  vehicle  choose  to  make  a  left  or  right  turn  (if  not  a 
one-way  street)  with  probability  0.25  each,  or  to  not  change 
direction  with  probability  0.5.  In  both  freeway  and  street 
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Anonymity  achieved  under  Simple  and  Correlation  tracking  in  a  4-lane  Freeway 
^ (Prob.  of  update  of  ID=1) 


1.5?^ 


-  V  -  Simple  tracking  (100ms) 

-  A  -  Simple  tracking  (SOOms) 

-e — Correlation  tracking  (SOOms) 

•  ^  -  Simple  tracking  (300ms) 

Theoretical  Simple  Tracking  (SOOms)  ^  ' 
X  Theoretical  Simple  Tracking  (SOOms) 


200  2S0  300  3S0  400  4S0 

Average  number  of  nodes  per  lane 


Anonymity  achieved  under  Simple  tracking  in  a  4-lan6  highway 
_ Avg.no.  of  nodes/lane=1S0 _ 


-  *  -  300ms 

-  A  -  500  ms 


0.4  0.6 

Probability  of  updating  ID 


Fig.  6.  Average  anonymity  provided  to  a  tai'get  when  it  updates  pseudonym  Fig.  7.  Average  anonymity  provided  to  a  target  in  a  4-lane  Freeway,  for 

in  a  4-lane  Freeway,  for  different  number  of  vehicles  (nodes)  per  lane.  different  probability  of  updating  pseudonym. 


models,  we  do  not  incorporate  the  length  of  vehicles.  For  the 
freeway,  the  speed  range  is  set  to  [72  km/hour,  144  km/hour], 
and  acceleration  range  is  set  to  [0  m/sec^,  5  m/sec^].  For  the 
streets,  the  speed  range  is  set  to  [36  km/hour,  72  km/hour], 
and  acceleration  range  is  set  to  [0,  2  m/sec^]. 

The  traffic  volume  for  freeway  is  set  to  3000  vehi- 
cles/hour/lane,  and  to  1000  vehicles/hour/street  for  the  streets. 
These  numbers  are  approximated  from  [19],  where  24-hour 
traffic  volume  estimates  are  provided  based  on  real  traffic 
data.  At  the  beginning  of  the  simulation,  the  vehicles  are 
uniformly  distributed  in  the  lanes.  It  should  be  noted  that  due 
to  the  higher  traffic  volume,  the  average  number  of  vehicles 
per  lane  for  the  freeway  is  higher  compared  to  the  street 
model.  This  setting  holds  under  the  assumption  that  there  is 
free  flow  movement  of  vehicles,  i.e.  we  do  not  account  for 
congestion  that  may  arise  in  streets.  Analysis  of  the  anonymity 
provided  for  vehicles  in  real  street  maps  and  traffic  data  will 
be  considered  in  our  future  work. 

During  simulation,  for  each  lane  (in  freeway  map)  and  each 
street  (in  street  map),  we  model  the  arrival  (at  pre-determined 
entry  points)  and  departure  of  vehicles  (at  pre-determined 
exit  points)  according  to  Poisson  process,  based  on  the  traffic 
volume.  The  arrival  and  departure  rate  are  set  to  be  the  same, 
leading  to  almost  same  average  number  of  vehicles  per  lane 
(street)  over  time.  The  border  effect  of  the  bounded  simulation 
region  on  the  vehicle  mobility,  is  accounted  for  by  making  the 
vehicle  reappear  in  the  region.  Currently,  we  do  not  integrate 
any  communication  traffic  model  in  our  simulation. 

D.  Evaluation  of  Location  Privacy  under  the  Global  Passive 
Adversary  Model 

We  hrst  evaluate  the  average  anonymity  a  vehicle  that  can 
be  provided  under  the  global  adversary  model,  where  all 
broadcasts  of  all  the  vehicles  are  overheard  by  the  adversary. 
Fig.  6,  and  Fig.  7  shows  the  average  level  of  anonymity  that 
can  be  provided  when  a  target  vehicle  in  the  freeway,  updates 
its  pseudonym  between  two  of  its  safety  message  broadcasts. 
The  probability  that  any  vehicle  updates  its  pseudonym,  deter¬ 
mines  how  many  neighboring  vehicles  of  target  change  their 
pseudonym  along  with  the  target.  Hence,  with  the  decrease 


Maximum  tracking  time  of  target  under  Simple  tracking  in  a  4-lane  Freeway 
^  Prob.  of  ID  update=1 


-  A  -  Simulated  (300  ms) 
Theoretical  (300ms) 


S  0-8- 

C 

ra  0.7  - 

i 

1  0.6 1- 

2  0.5  - 
0.4  - 


200  250  300  350  400 

Average  number  of  nodes  per  lane 


Fig.  8.  Maximum  Tracking  Time  of  a  target  in  a  4-lane  Freeway,  for  different 
number  of  vehicles  per  lane. 

in  this  probability,  it  is  expected  that  as  in  Fig.  7,  the  target 
anonymity  set  reduces  to  1.  Fig.  8  shows  that  the  maximum 
tracking  time  of  a  target  under  simple  tracking,  reduces  to  the 
safety  broadcast  period  with  increase  in  number  of  vehicles 
per  lane.  From  Fig.  6,  8,  we  see  that  the  theoretical  values  for 
average  level  of  anonymity,  and  the  maximum  tracking  time, 
derived  from  Eq.  (3),  (2),  are  slightly  pessimistic  compared  to 
the  simulated  values.  Fig.  9  shows  the  achievable  anonymity 
level  in  the  street  map.  By  comparing  with  Fig.  6,  we  see  that 
the  anonymity  level  provided  in  streets  is  lower.  This  is  due  to 
the  relatively  lower  vehicle  density  in  streets  as  discussed  in 
the  previous  section,  since  we  assume  a  lower  traffic  volume 
for  streets  than  for  freeways.  Due  to  space  limitations,  in  this 
paper,  we  only  provide  the  anonymity  enhancement  evaluation 
for  freeway  model. 

It  can  be  observed  from  Fig.  6,  7,  9  that  as  we  increase  the 
safety  message  broadcast  period  from  100  ms  to  SOOms,  the 
level  of  anonymity  increases  under  simple  tracking.  However, 
we  cannot  achieve  an  increase  in  the  anonymity  level  under 
correlation  tracking.  Since  vehicles  tend  to  not  change  direc¬ 
tion  in  short  time  intervals,  the  correlation  tracking  method 
can  be  used  successfully  to  track  them.  In  order  to  address  this 
weakness,  next,  we  evaluate  the  gain  in  anonymity  achieved 
by  increasing  the  random  silent  period  value. 


Anonymity  achieved  by  target  under  Correlation  and  Simple  tracking  in  Street  Model 
_  (Prob.  of  update  of  ID=1)  _ 


Anonymity  achieved  under  correlation  tracking  with  random  silent  period  during  join  in  4-lane  Freeway 


-  v  -  Simple  tracking  (100ms) 

— 0 —  Correlation  tracking  (100ms) 

-  A  -  Simple  tracking  (500ms) 

— B —  Correlation  tracking  (500ms) 
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Fig.  9.  Average  anonymity  provided  to  a  target  when  it  updates  pseudonym 
in  street  model,  for  different  number  of  vehicles  per  street. 


Fig.  11.  Enhancement  in  anonymity  obtained  under  correlation  tracking  with 
different  values  for  random  silent  period  during  network  join. 


Anonymity  achieved  with  RSU  separation  in  a  4-lane  Freeway 
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Fig.  10.  Enhancement  in  anonymity  obtained  from  tradeoff  of  the  safety 
message  broadcast  period  with  random  silent  period  during  network  join. 


Probability  of  updating  ID 

Fig.  12.  Enhancement  in  anonymity  obtained  from  RSU  separation. 


E.  Evaluation  of  Location  Privacy  Enhancement  with  Silent 
Period 

Fig.  10  shows  the  average  anonymity  level  that  can  be 
achieved  when  a  vehicle  joining  the  network  remains  silent 
for  a  random  period  (less  than  a  maximum  value).  As  we 
increase  the  silent  period  from  500ms  to  2  secs,  there  is  a 
significant  increase  in  the  anonymity  level  under  the  global 
adversary  using  simple  tracking.  However,  we  do  not  achieve 
a  similar  gain  in  the  case  of  correlation  tracking.  Fig.  1 1  shows 
that  the  silent  period  has  to  be  increased  further  to  achieve  a 
suitable  anonymity  level  for  correlation  tracking. 

For  anonymity  under  correlation  tracking,  the  vehicles  join¬ 
ing  the  network  must  remain  silent  for  a  period  greater  than  the 
safety  message  broadcast  period.  For  instance,  from  Fig.  11, 
a  vehicle  must  remain  silent  and  not  broadcast  any  message 
for  at  least  1  sec  to  achieve  average  anonymity  of  2.  Hence, 
for  vehicles  participating  in  safety  applications,  this  solution 
presents  a  tradeoff  between  vehicle  anonymity  and  vehicle 
safety,  since  by  increasing  silent  period  of  target  beyond  the 
safety  message  period,  we  decrease  the  safety  of  the  target’s 
neighboring  vehicles.  Therefore,  in  the  following  section,  we 
propose  another  solution  for  vehicles  participating  in  safety 
applications.  This  alternate  solution  takes  into  account  the 
observation  that  the  safety  message  broadcast  range  for  vehi¬ 
cles  can  be  smaller  than  the  broadcast  range  needed  for  other 
VANET  applications. 


F.  Location  Privacy  Enhancement  with  RSU  Separation 

In  [5],  an  observation  is  made  about  the  restricted  coverage 
of  RSUs  due  to  the  separation  between  them.  We  illustrate 
this  observation  using  Fig.  13.  Based  on  the  RSU  separation 
(RSUsep),  and  the  safety  message  broadcast  range  (rp),  we 
can  define  geographical  regions  called  overheard  and  non- 
overheard  regions.  As  seen,  in  the  overheard  region,  all  the 
safety  message  broadcasts  are  received  by  the  RSU.  However, 
the  RSUs  will  not  be  able  to  overhear  safety  message  broad¬ 
casts  of  the  vehicles  in  the  non-overheard  region.  We  note  here 
that  the  vehicles  can  be  assumed  to  be  capable  of  controlling 
their  transmission  range,  and  therefore,  communicate  with  the 
RSU  if  needed  in  the  non-overheard  region.  As  shown  in 
Fig.  13,  the  group  leader  vehicle  can  increase  its  transmission 
power  to  reply  to  the  probe  data  request  from  the  RSU. 

Given  the  above  scenario,  if  the  target  vehicle  updates  its 
pseudonym  in  the  non-overheard  region,  and  if  there  is  at  least 
one  other  vehicle  in  the  non-overheard  region  that  also  updates 
pseudonym,  then  the  adversary  may  not  be  able  to  track  the 
target  when  it  exits  the  non-overheard  region.  The  anonymity 
set  of  the  target  will  include  all  the  vehicles  that  update  their 
pseudonym  along  with  the  target  in  the  non-overheard  region. 

Fig.  12  shows  that  with  increase  in  RSU  separation,  the 
average  anonymity  level  provided  to  a  target  increases  sig¬ 
nificantly  under  simple  tracking,  as  well  as  under  correlation 
tracking. 

It  is  worth  noting  here  that  by  taking  the  RSU  separation 
into  account,  we  no  longer  consider  tracking  under  the  global 
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r^:  cooperative  navigation  transmission  range  of  node  '  distance  between  two  RSUs 

min_broadcast_period;  time  between  cooperative  navigation  broadcasts  -  max  speed  limit  for  any  vehicle 

r^Q  -  distance  over  which  a  node  is  not  overheard  by  RSU 


Fig.  13.  Illustration  of  overheard  and  non-overheard  regions  in  the  path  of  vehicles. 


adversary  model.  The  adversary  model  becomes  relatively 
weaker,  since  not  all  the  broadcasts  are  overheard. 

G.  Comparison  of  Silent  Period  with  RSU  Separation 

Comparing  the  silent  period  with  the  RSU  separation  solu¬ 
tion,  we  see  that  the  two  are  similar  in  approach,  since  both 
ensure  a  time  period  in  which  the  target  will  move  without 
being  overheard.  However,  comparing  Fig.  10  and  Fig.  12, 
it  can  be  seen  that  the  random  silent  period  is  unable  to 
provide  as  much  anonymity  as  RSU  separation  solution,  under 
correlation  tracking.  We  observe  that  this  is  due  to  the  larger 
time  period  the  target  is  not  overheard  in  the  RSU  separation 
solution.  A  separation  of  RSUsep  indicates  that  the  time  of 
not  being  overheard  lies  in  [RSUsep/smax,  RSUsep/smin], 
where  Smin,  Smax  are  the  minimum  speed  and  maximum 
speed,  respectively,  that  the  target  can  assume.  Fig.  11  justifies 
this  observation  by  showing  how  anonymity  is  improved  with 
increase  in  silent  period. 

On  the  other  hand,  the  random  silent  period  solution  only 
needs  a  relatively  small  time  period,  to  provide  equal  or  better 
performance  under  simple  tracking,  compared  to  the  RSU 
separation  solution.  For  instance,  a  silent  period  of  2  secs 
achieves  the  same  average  anonymity  level  provided  by  a 
RSU  separation  of  2  km.  The  reason  for  this  performance 
difference  is  that  with  the  RSU  separation,  due  to  the  known 
exit  border  of  the  non-overheard  region,  the  reachable  area  of 
the  target  is  located  only  at  the  exit  border,  and  is  limited  by 
Smax  and  the  minimum  broadcast  period,  as  shown  in  Fig. 
13.  Hence,  even  if  a  vehicle  updates  more  that  once  in  the 
non-overheard  region  it  will  be  accounted  for  only  once,  i.e. 
in  the  reachable  area.  On  the  other  hand,  in  random  silent 
period  technique,  since  there  are  no  non-overheard/overheard 
region  assumptions,  the  reachable  area  is  relatively  larger,  and 
hence,  if  a  vehicle  updates  pseudonym  more  than  once  in  the 
reachable  area,  then  it  will  be  accounted  for  that  many  times. 

V.  Related  Work 
A.  VANET  Security  and  Privacy 

Security  and  privacy  issues  in  VANET  have  just  begun  to 
attract  attention  from  both  academic  and  corporate  research. 
Recently,  in  [3],  [4],  Hubaux  et.  al.  from  EPFL,  provide  a 
general  framework  for  security  issues  in  VANET,  and  analyze 


in  detail,  the  threats  and  challenges  regarding  security  and 
privacy  in  VANET.  They  propose  several  interesting  solutions 
for  VANET  security  such  as  Electronic  License  Plates  (ELPs) 
that  are  unique  cryptographically  verifiable  numbers  equivalent 
to  traditional  license  plates,  and  location  verification  based  on 
verifiable  multilateration  as  an  approach  to  address  liability 
requirements  of  VANET.  Dotzer  et.  al.  [6],  [20]  from  BMW 
research,  have  also  separately  addressed  the  privacy  problems 
in  VANET,  and  security  of  V2I  communications  for  safety, 
particularly  between  vehicles  and  traffic  lights.  In  [5],  a 
scheme  for  providing  anonymity  in  VANET  is  given,  where  the 
vehicles  update  their  keys  when  changing  direction.  However, 
these  works  do  not  consider  the  achievable  privacy  under 
global  adversary  model.  In  other  related  VANET  security 
work,  Golle  et  al.  [15]  address  the  problem  of  an  adversary 
injecting  malicious  data  into  the  network,  and  propose  a 
general  approach  to  evaluating  the  validity  of  the  data,  where 
each  node  searches  for  possible  explanations  for  the  data  it 
has  received  and  collected.  ISO/TC204  [21]  is  responsible  for 
the  global  standardization  activity  of  ITS.  Privacy  issue  in 
probe  data  application  is  one  of  the  working  issues  in  WG16 
of  ISO/TC204.  However,  in  comparison  with  our  work,  they 
assume  a  weaker  adversary  model.  Assuming  trusted  RSUs 
not  capable  of  location  estimation,  they  address  a  policy  based 
approach  to  protect  privacy  of  users  from  service  providers. 

B.  Mobility  Models  for  VANET 

With  emerging  interest  in  VANET,  there  have  been  efforts 
on  modeling  the  mobility  of  vehicles.  In  [22],  two  models 
(Freeway  and  Manhattan  models)  are  proposed  for  mobile  ad 
hoc  network  simulation.  Both  of  these  models  account  for 
the  spatial  dependency  between  mobile  nodes,  and  restricted 
movement  of  nodes  in  freeway  and  the  street  map.  Because 
of  their  simplicity,  we  use  slight  variants  of  these  models  in 
our  study,  by  incorporating  additional  parameters  such  as  lane 
changing.  The  study  by  Saha  and  Johnson  in  [23],  accounts 
for  restricted  movement  on  real  map  data,  and  uses  the  current 
vehicle  traffic  conditions  in  determining  the  path  of  nodes 
to  their  respective  destinations.  However,  they  do  not  take 
into  account  the  spatial  dependency  between  the  nodes.  Very 
recently,  the  STRAW  model  has  been  proposed  in  [24]  that 
unlike  [23],  takes  into  account  the  spatial  dependency  between 
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nodes,  but  does  not  incorporate  lane  changing.  In  [25],  an 
overview  of  some  existing  vehicle  traffic  simulators  is  given. 

C.  Location  Privacy  Enhancement  for  Mobile  Networks 

To  protect  users  from  location  privacy  threats,  there  are 
several  research  studies  in  mobile  networks.  Gruteser  and  his 
colleagues  [10],  [19]  have  worked  extensively  on  protecting 
location  privacy  in  WLAN.  Their  approach  is  based  on  ad¬ 
justing  the  resolution  of  location  along  spatial  and  temporal 
dimensions,  and  assumes  that  nodes  provide  their  location, 
rather  than  the  location  being  estimated  by  any  AP/RSU.  On 
the  other  hand,  Beresford  [26]  proposes  the  concept  of  the 
MIX  zone  based  on  Chaum’s  [14]  MIX,  to  protect  location 
privacy  of  LBS  application  users  from  service  providers.  The 
MIX  zone  for  a  group  of  users  is  a  connected  geographical 
region  where  no  application  is  accessible.  Because  application 
providers  do  not  receive  any  location  information  when  users 
are  in  a  MIX  zone,  the  user  identities  are  mixed.  In  [12],  [27], 
Huang  et.  al.  propose  random  silent  period  to  protect  user 
trajectory  privacy.  However,  all  of  these  works  assume  that 
the  wireless  nodes  have  unrestricted  and  independent  mobility, 
hence,  not  considering  the  unique  constraints  of  VANET. 

VI.  Conclusions  and  Future  Work 

In  this  paper,  we  addressed  the  location  privacy  threats  that 
arise  in  VANET  due  to  tracking  of  vehicles  based  on  their 
broadcasts,  and  proposed  a  solution  called  CARAVAN.  Taking 
into  account  the  mobility,  and  the  application  features  in 
VANET,  we  identified  that  by  combining  neighboring  vehicles 
into  groups,  it  is  possible  to  reduce  the  number  of  times 
a  vehicle  needed  to  broadcast  for  V2I  applications  such  as 
probe  vehicle  data.  Using  group  the  vehicles  can  be  provided 
with  an  extended  silent  period,  which  in  turn  enhances  their 
anonymity.  Assuming  the  global  adversary  model,  and  under 
the  safety  application  constraints  of  VANET,  we  evaluated  the 
enhancement  of  anonymity  achieved  by  our  proposed  solution. 
We  also  suggested  an  enhancement  technique  that  takes  into 
account  the  separation  between  RSUs,  and  the  transmission 
power  control  capability  of  vehicles.  Further,  we  proposed 
an  anonymous  access  protocol  to  address  threats  to  privacy 
that  arise  due  to  access  to  LBS  applications,  and  found  that 
it  was  robust  under  the  global  adversary  model,  as  well  as 
under  the  safety  application  constraints.  Future  work  includes 
evaluation  of  proposed  location  privacy  solutions  under  more 
realistic  mobility  for  vehicles,  combined  with  map  data,  and 
with  communication  traffic  models. 
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TABLE  I 
Abbreviations 


GPA 

Global  Passive  Adversary 

OBU 

On-Board  Unit 

RSU 

Road  Side  Unit 

V2V 

Vehicle-to- Vehicle 

V2I 

Vehicle-to-Infrastmcture 

IVC 

Inter- Vehicle  Communication 

VANET 

Vehicle  Ad-hoc  NETwork 

LBS 

Location  Based  Service 

DSRC 

Dedicated  Short  Range  Communication 

Appendix 

A.  Protocols  for  Group  Formation,  Group  Join,  Group  Leave, 
Group  Operation 

In  the  sections  below,  we  detail  the  various  protocols 
involved  in  the  proposed  location  privacy  scheme  for  VANETs. 

1)  Group  Join  Protocol:  Each  vehicle  (node)  i,  upon 
entering  the  network,  periodically  broadcasts  safety  messages 
for  cooperative  navigation.  However,  node  i  simultaneously 
attempts  to  join  one  of  the  nearest  existing  groups.  The  node 
i  listens  for  broadcasts  from  any  neighboring  group  leader 
GLj,  and  then  requests  GLj  for  membership  to  group  Gj.  A 
group  leader  can  be  identified  by  its  address  included  in  its 
broadcasts.  The  y  least  significant  bits  of  the  group  leader’s 
address  will  be  set  to  zero  (see  Group  Eormation  protocol). 
GLj  verifies  (using  the  spatial  parameters  of  i  included  in 
the  request)  if  i  is  in  the  range  of  all  members  of  Gj.  We 
restrict  the  group  to  have  full  connectivity,  so  that  group 
leader  rotation  is  possible.  GLj  also  verifies  the  public  key  of 
i  included  in  the  request,  and  provides  i  with  the  group  key 
ko  and  the  LBS  application  address  range,  encrypted  with 
public  key  of  i.  The  pseudocode  of  the  group  join  protocol  is 
given  below. 

Group  Join  Protocol  (GROUP  JOIN) 


1.  i:  listen  for  broadcasts  from  neighboring  group  leaders  Li 
^  0)  and  ^waited  for  spjjK^x) 

2.  i:  identify  Gj  G  Li  that  was  last  heard 

3.  i:  change  PIDi  k-i  to  PIDi  k  G  {PIDi} 

4.  i  GLf 

request  =  Aql.\\P  I  Dii,_i\\joinjrequest 
where  joirurequest  =  KpiDi^k-i\\signRA{.KpiDi,k-i) 

I {locatiorii \\velocityi \ \ acceleratiorii \  \timestamp 

5.  if  (verified  ^_f)  and 

(locatioui  is  within  range  of  node  a,  Va  G  Gj) 
GLj-.  store 

PIDi,k-i\\KpiD,^^,_i\\signRA{KpiD.^_.^) 

GLj  i:  reply  =  P/A.fe-iMcLj 

\\pKp,Oi^^_i  (kojllapp-address-range) 

else 

GLj:  do  not  reply 
endif 

6.  if  (received  reply  within  Tmax) 

i:  set  address  Aij  =  PIDik 
i:  go  to  GROUpIoPERATION 
else 


i:  identify  Gk  G  LiXGj 
i:  set  Gj  =  Gk, 

if  (less  than  Rmax  repetitions  without  any  reply) 
i:  go  to  Step  4 

else 

i:  go  to  GROUP-FORM 
endif 
endif 

else 

i:  go  to  GROUP-FORM 
endif 


2)  Group  Formation  Protocol:  In  the  above  protocol,  the 
node  i  may  not  be  successful  in  finding  a  group  to  join.  The 
node  then  creates  a  group  by  means  of  the  group  formation 
protocol,  i  communicates  with  the  RA  via  the  RSU  to  obtain 
the  group  leader  ID,  GIDj,  used  in  the  group  leader  address 
^GLp  This  interaction  is  needed  to  avoid  collision  of  the 
group  leader  addresses,  since,  y  least  significant  bits  of  the 
address  are  set  to  be  zero,  i.e.  AoPj  =  GIDj\\0y.  Similarly, 
collisions  in  the  address  range  provided  for  LBS  application 
access  is  avoided.  The  pseudocode  for  the  protocol  is  given 
below. 

Group  Formation  Protocol  (GROUP-FORM) 


if  (no  group  heard  in  GROUP  JOIN)  or  (no  group  leader 
replied  in  GROUP  JOIN) 

1.  i:  choose  PIDik  G  {PIDi} 

2.  z  — >  RSU:  leader -notification  = 

Abroadcast\\PIDi^k\\KpiDi^k\\s'^g'>^i{P^PID,^k) 

3.  RSU,RA:  verify  Kpjp.^,  and  generate 

Pkpid  j,  (GI Dj\\addressjrange) 

4.  RSU  i:  broadcast  reply  = 

PIDi^k\\ARsu\\EKpiD,  ^  {GIDj  \\addr  ess -range) 

5.  i:  if  (received  RSU  reply  within  duration  T^ax) 

i:  generate  AoPj  =  GIDj\\0y 

i:  go  to  GROUP-OPERATION,  listen  for  join-request 
i:  if  (no  GROUP  JOIN  request)  and 

(waited  for  duration  Wmax) 
i:  go  to  GROUP  JOIN 

else 

if  (number  of  repetitions  of  broadcast  <  Rmax) 
i:  repeat  Step  2 

else 

i:  go  to  GROUP  JOIN 
endif 
endif 
endif 


The  address  jrange  in  Step  3  is  used  to  provide  the  random 
address  Aaa  for  the  anonymous  access  to  LBS  applications. 
We  note  that  the  address-range  can  directly  generate  Aaa, 
or  alternatively,  it  can  be  used  to  obtain  random  y-bit  num¬ 
bers  XX... X,  that  can  construct  the  random  address  Aaa  = 
GIDj\\xx...x. 
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3)  Group  Leaving  Protocol:  The  nodes  in  a  VANET  are 
highly  mobile,  and  often  a  node  may  accelerate  or  change 
direction  with  time.  Consequently,  a  node  can  go  out  of 
range  of  the  group,  thereby  leaving  its  current  group,  and 
joining  another  group  near  its  new  location.  On  the  other 
hand,  a  node  may  simply  update  its  pseudonym/address  Aij. 
In  either  case,  the  group  leader  GLj  of  node  Ts  current 
group,  must  assume  that  the  node  has  left  the  group  Gj. 
Therefore  in  the  group  leaving  protocol,  when  GLj  does  not 
receive  any  safety  message  broadcast  with  the  pseudonym  of 
node  i  (recorded  when  joining  the  group)  for  a  maximum 
time  Djnax,  GLj  assumes  that  either  the  node  i  has  left 
the  group  or  has  updated  its  pseudonym/address  A^j.  Since 
in  cooperative  navigation,  the  nodes  periodically  broadcast 
navigational  data  with  period  T„,  the  group  leader  can  set 
the  period  Dmax  to  be  a  multiple  of  r„.  Node  i  will  self 
determine  if  it  is  out  of  range  of  GLj,  and  will  try  to  find  new 
group  by  executing  the  group  join  protocol.  The  pseudocode 
for  group  leave  protocol  is  as  follows. 

Group  Leaving  Protocol  (GROUP iEAVE) 


1.  i:  compute  current  distance  from  group  leader  GLj 

2.  i:  if  (going  to  be  out  of  range  from  GLj  at  leavedime) 

i:  go  to  GROUP  JOIN 
endif 

3.  GLj'.  if  (no  broadcast  is  received  from  i  for  duration  Dmax) 

GLj-.  delete  entry  of  Aij  from  current  group 
member  list 

endif 


4)  Group  Operation  Protocol:  All  the  members  of  the 
group  Gj  participate  in  the  group  operation  protocol,  which 
consists  of  several  subprotocols.  The  cooperative  navigation 
protocol  is  used  for  safety  applications.  In  addition,  for 
probe  data  application,  we  include  an  optional  probe  data 
aggregation  protocol,  where  the  group  leader  aggregates  the 
data  received  from  the  members.  The  aggregated  data  is 
included  in  the  reply  from  the  group  leader  to  the  RSU  probe 
request  in  the  probe  data  collection  protocol.  As  discussed 
in  Section  III-D.2,  the  group  leader  node  cannot  be  provided 
location  privacy,  since  it  can  be  tracked  based  on  its  fixed 
pseudonym/address  Acl^-  Hence,  periodically  the  role  of 
the  group  leader  is  shared  by  the  group  members.  This  is 
implemented  by  the  leader  rotation  protocol.  The  pseudocode 
for  the  group  operation  protocol  is  given  below,  followed 
by  the  various  subprotocols. 

Group  Operation  Protocol  (GROUP_OPERATION) 


\.Gf.  go  to  COOPERATIVEJsfAVIGATION 

2.  for  all  i  e  Gj\GLj 

i:  listen  to  broadcast  sent  by  GLj  and  go  to 
GROUPXEAVE 

endfor 

3.  Gf  optionally  go  to  PROBEX)ATA_AGGREGATION 


4.  GLf  go  to  PROBE_DATA_COLLECTION 

5.  if  (leader  rotation  is  needed) 

Gj-.  go  to  LEADER_ROTATION 

else 

GLj-.  go  to  Step  3. 
endif 


In  the  probe  data  aggregation  protocol,  only  a  fraction 
of  p  nodes  from  Gj  can  broadcast  data  in  each  period  T^. 
The  pseudocode  for  the  probe  data  aggregation  between 
the  member  of  group  Gj  is  as  follows.  The  function 
aggregate -data  is  a  suitable  spatial  data  aggregation 
algorithm,  and  is  not  detailed  here  since  it  is  out  of  the  scope 
of  this  paper. 

Probe  Data  Aggregation  (PROBE  DATA^GGREGATION) 


1. for  all  i  €  Gj\GLj 

i  GLj-.  PDATAi  =  AQi^.\\Ai  j\\locationi 
I  \probejiatai  with  probability  p 
GLj-.  record  PDATAi 
endfor 

2.  GLj-.  execute  aggregate -data  to  perform  aggregation  of 
all  the  received  {PDATAa}  and  PDATAqi^.,  and  finally 
obtain  AGGREGATED -DAT A 

3.  Gj-.  go  to  Step  1  every  Td 


The  pseudocode  for  the  probe  data  collection  protocol  is 
given  below. 

Probe  Data  Collection  (PROBE  DATA  COLLECTION) 


1.  RSU  GLj-.  probe-data-request  =  AbroadcastWAnsu 

I  \request-message 

2.  GLf  if  (no  AGGREGATED -DAT  A) 

data  =  locationoLj  Wprobe-datacLj 

else 

data  =  locationcLj  \\AGGREGATED-DAT A 
endif 

3.  GLj  RSU:  reply  =  AasuWAaLjWdata 


In  the  Step  2,  the  group  leader  checks  if  there  is  any 
data  that  was  aggregated  recently.  If  not,  then  it  broadcasts 
self  generated  probe  data.  We  do  not  specifically  detail 
the  probe-data  format  in  this  paper.  Note  that  the 
probe-data-request  can  include  specific  data  resolution 
request,  i.e.  for  high  resolution  aggregated  data  or  for  lower 
resolution  group  leader  only  data. 

In  the  cooperative  navigation  protocol,  each  node 
independently  and  periodically  broadcasts  a  safety  message 
every  r„.  In  order  to  ensure  liability  of  the  message 
originator,  as  well  as  safety  of  the  message  receiver,  we 
require  each  node  to  sign  each  safety  message,  and  also 
include  a  timestamp  to  ensure  freshness  of  the  message. 
To  enable  verification  of  signature,  the  node  includes  the 
corresponding  public  key  certificate.  On  receiving  a  safety 
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message,  node  i  verifies  if  the  message  is  valid,  and  then 
performs  safety  computation. 

Cooperative  Navigation  (COOPERATIVE  NAVIGATION) 


1.  i:  NDATAij  —  Ai)roadcast\\Aij 

1 1  sigui  (jiavigatiou-datai  \  \  timestamp) \\signRA{KpiDi  k) 

2.  for  all  received  N DAT Aa^x 

i:  validate  and  store  NDATAa^x 
endfor 

3.  i:  execute  safety -computation  using  valid  {NDAT  Aa^x} 

4.  if  ( received  inter  section -RSU  broadcast  = 

Abroadcast  \  \  AiRsu  \ \locationiiisu ) 

i:  if  (less  than  two  replies  heard) 

i  inter  section -RSU:  AjRsu\\Aij 

I  {navigation -datai 

endif 

5.  i:  go  to  step  1  every  r„. 


In  the  above  protocol,  the  data  format  can  be 
navigation-datai  =  {locationi,  speedi,accelerationi, 
directioni,timestampi).  Steps  1-3  are  used  to  communicate 
navigational  data  between  vehicles.  The  Step  3  is  only 
illustrative  of  the  use  of  navigational  data  for  safety 
computation.  There  may  be  other  applications  for  such  data 
that  is  not  included  here.  The  algorithm  for  vehicle  safety 
computation  based  on  the  navigational  data  of  neighboring 
vehicles  is  out  of  the  scope  of  this  paper. 

Step  4  of  the  protocol,  is  essentially  used  to  achieve  inter¬ 
section  vehicle  collision  avoidance  between  two  groups.  To 
avoid  redundancy,  not  all  nodes  in  Gj  need  to  communicate. 
On  the  other  hand,  due  to  critical  nature  of  the  vehicle  collision 
problem,  we  need  to  ensure  protocol  reliability  and  vehicle 
safety.  Hence,  at  least  two  or  more  nodes  from  Gj  must 
communicate  with  the  RSU  at  the  intersection.  If  we  assume 
that  the  vehicle  (on-board  unit)  transmission  range  is  relatively 
smaller  than  the  RSU  range,  the  two  or  more  nodes  that  reply 
in  Step  4,  will  be  in  proximity  to  the  intersection  RSU. 

As  mentioned  earlier,  in  order  to  provide  location  privacy 
for  the  group  leader,  it  becomes  essential  to  rotate  the  group 
leader  role  (periodically  or  on  demand)  among  the  group 
members.  The  following  protocol  is  used  to  enable  the 
rotation  of  the  group  leader  role  in  the  group  Gj. 

Group  Leader  Rotation  (LEADER_ROTATION) 


1.  GLj'.  if  (do  not  want  to  be  group  leader)  or  (end  of  rotation 

period) 

GLj  Gj\  notification  =  AbroadcastWAcLj 
I \Ekc .  {rotation -time\ {leader -rotation-notification} 

2.  forall  i  G  Gj\GLj 

i:  wait  for  random  time  sp  <  spmax 
i:  mask  y  least  significant  bits  of  PIDi  k+i,  and  set 
the  masked  PIDi  k+i  as  AgLj.^^.^  =  GIDj^^^ 

i  ^  G j'.  reply  =  Abroadcast{{Ai^j 

I  {Eke  -  {le.ader -role-accept{{AGLj^^^  } 


endfor 

3.  if  (GLj  receives  the  reply  from  two  or  more  nodes  in  Gj) 

GLj-.  choose  random  node  i  from  the  nodes  that  replied 
GLj  >  Gj'.  Abroadcast{{AQk^ 

I  {Eke  {leader -role-granted{  {Aij} 

else 

if  (no  reply  is  received  within  Tmax) 

GLj'.  go  to  Step  1 
endif 
endif 

4.  i:  broadcast  leader -notification  = 

Abroadcast{{AQk^^^^  {{PI Di^k+1 

5.  RSU:  verify  leader -notification 

6.  RSU  i:  broadcast  AGK  if  verified  to  be  correct 

7.  i:  if  (not  received  RSU  ACK  after  waiting  for  Tmax) 

i:  repeat  the  broadcast  in  Step  4 
endif 


Step  2-3  are  used  to  implement  the  random  election  of 
the  new  group  leader,  in  order  to  prevent  any  attacks 
that  can  utilize  the  knowledge  of  a  deterministic  election 
(discussed  earlier  Section  III-D.2).  We  can  further  incorporate 
a  verification  mechanism  in  Step  3,  in  order  to  ensure  the 
election  of  the  new  leader  by  the  old  leader  node  is  truly 
random. 

B.  Protocol  for  Anonymous  Access  to  LBS  Application  in 
VANET 

Fig.  4  illustrates  the  scenario,  where  node  i  in  the  group 
Gj  wants  to  access  a  location  based  application  offered  by 
service  provider  SPx.  The  steps  of  the  protocol  are  also 
illustrated  in  Fig.  4. 

Anonymous  Access  Protocol  (ANONYMOUS_ACCESS) 


1.  z  — >  GLj'.  app -request -message  = 
where  APP-REQ  = 

app-request{{EKn.A  {PIDi^k{{signi{PIDi^k){{lE{qi){{appx) 

2.  GLj  — >  RSU:  forward-message  = 

I)-RSu{{^GLj  {{locationGLj  I  {APP-REQ 

3.  RSU  RA:  forward  APP-REQ 

4.  RA:  compute  MSG  = 

Dkra {Gkra  {PIDi^k{{signi{PIDi^k){{lE{qi){{ appx ) ) 

if  (MSG  is  not  valid) 

generate  reply  =  DENY -REQ 
endif 

if  (PIDi  k  in  MSG  is  valid)  and 

(PIDi  k  has  valid  access  to  appx)  and 
(signi{PIDi^k){{lU{qi)  in  MSG  is  valid) 
generate  reply  =  appx{{ 

^Ksp^  {kx,z{{signRA{kx,i,  timestamp)){  { 
{kx,i{{signRA{kx,t,  timestamp)) 

else 

generate  reply  =  DENY  -REQ 
endif 
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RA  RSU :  reply 

5.  RSU:  if  (reply  ==  DENY.REQ) 

go  to  Step  15 
else 

RSU  ^  SPx'.  send  appJnitiate  = 
locationGLj\\EKsp^{kx,i\\signRA(kx,i,U'mestamp)) 
endif 

6.  SPx'.  if  (received  appJnitiate  from  RSU)  and 

(able  to  provide  service) 

compute 

Dksp^  {Eksp^  {kxf\signiiA{kx,i,  timestamp))) 
if  (kx,i  is  valid)  and  (timestamp  is  not  expired) 
SPx  RSU:  send  appJnitiatejresponse 
endif 

endif  /*  appJnitiatejresponse  is  also  used  to 
indicate  the  availability  of  the  SPx  */ 

7.  RSU:  if  (received  appJnitiatejresponse  within  T^axi) 

RSU  — >  GLj-.  send  RSU  .response  = 
AGLj\\ARsu\\apPx\\ 

EKpIDi_^:  ikx,i\\signRA(kx,i,  timestamp)) 

else 

go  to  Step  15 
endif 

8.  GLj-.  if  (received  RSU  .response  within  Tmax2) 

GLj  i: 

appx  1 1 Ekp,o.  ^  (kx,i  1 1 signRA(kx,i ,  timestamp) ) 

else 

go  to  Step  15 
endif 

9.  for  all  i  in  Gj 

if  (requested  for  appx  access) 
i:  compute  decrypt  = 

DKp,o.^{EKp,o.^(kx,i\\signRA(kx,i, timestamp))) 
i:  if  (successfully  obtained  decrypt) 
if  (kx,i  is  valid)  and 

(timestamp  is  not  expired) 
i:  go  to  Step  10 

else 

i:  go  to  Step  15 
endif 
else 

i:  ignore  the  broadcast  from  GLj 
endif 

endif 

endfor 

10.  while  (1)  /*  two-way  communication  session  between 

node  and  SP  */ 
if  (data  to  be  sent  to  i) 

SPx  -J  RSU:  Ek,  ,{data} 

RSU  GLj-.  AGLj\\ARsu\\Ek^,i{data} 

GLj  — >  i:  Ek^  .{data} 
i:  decrypt  data  as  Dk^  AEk^ 
endif 

i:  if  (no  data  received  for  Tmaxs)  and 

(no  data  to  be  sent  to  SPx) 

go  to  Step  1 1 
else 


i  -J  GLf 

Agl,  I \Aaa \\EkG.  {apPx I \Ek^  i {data}} 

GLj  RSU: 

Arsu\\Agl^  WlocatiouGLj  \ \appx\\Ek^  Adata} 
RSU  — >  SPx'.  locationGLj\\Ek^  i{do.io,} 

SPx'.  decrypt  Dk^^AEk^,i{data}} 
endif 
endif 
endwhile 

11.  l  -J  GLf  AGL,\\Aaa\\Eka^{APP.PIN} 

where  APP.FIN  =  appx.end 

1 1  Ekra  (pi  Ei,k\ \appx  \\kx,i\\  signi  (session.info\ \timestamp)) 
GLj  RSU:  ARsu\\AGLj\\^ocationGLj\\APP-FIN 
RSU  -J  RA:  forward  APP.FIN 

12.  SPx  -J  RSU  -J  RA:  SERVICE.FIN  = 

Ekra  (SPx  I \appx  1 1  1 1  signs  (session.inf  o\\timestamp)) 

13.  RA:  if  (received  APP.FIN)  and 

(received  SERVIGE.FIN) 

RA:  DKj^^(ERjj^^(PIDiA\ 

appx  1 1  1 1  signi  (session.inf  o\ \  timestamp) ) ) 

RA:  DKiiA(EKRA(SPx\\appx 

\\kx,i\\signsp^  (session.inf  o\  \timestamp))) 
if  (decrypted  quantities  are  valid  for  session 
between  i  and  SPx)  and  (session.inf  o  in  both 
signatures  match) 

RA:  record  the  decrypted  quantities 
go  to  Step  15 

else 

go  to  Step  14 
endif 

else 

if  (waited  for  Tmaxi)  and  (not  received 
APP.FIN)  and  (not  received 
SERVIGE.FIN) 
go  to  Step  15 

else 

go  to  Step  14 
endif 
endif 

14.  RA,  location  server,  i,  SPx'.  resolve  dispute  between  i 

and  SPx 

15.  i,SPx,  GLj,  RSU:  terminate  session 


if  (data  to  be  sent  to  SPx) 
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TABLE  II 

Standard  notation  used  in  this  paper 


Notation 

Description 

i 

A  entity/node  in  the  VANET. 

i  j 

Entity  i  broadcasts  to  entity  j. 

Gj 

A  group  j  of  nodes  in  the  VANET. 

N 

Set  of  all  n  nodes  in  the  VANET,  i.e.  \Af  \  =  N. 

g 

Set  of  all  g  groups  in  the  VANET,  i.e.  \Q\  =  g. 

n 

Set  of  groups  in  the  VANET.  H  C  Q. 

^max 

Maximum  size  for  a  group. 

GLj 

Group  Leader  of  group  Gj. 

GID, 

Group  ID  of  group  Gj. 

pseudonym  of  node  i.  Each  node  i  has  a  set  of  w  pseudonyms,  =  {PIDi}. 

^GLj 

ID  of  GLj.  Note  that  ^GLj  =  GIDj\\0'^ ,  where  y  is  size  (in  bits)  of  node  ID  held. 

■^aa-j 

LBS  application  access  address  selected  from  an  address  range  for  group  Gj . 

ID  of  node  i  that  is  a  member  of  group  Gj.  Note  that  Aij  =  PIDi]^  or  Aij  =  GI  Dj\\Aaaj  • 

■^broadcast 

Broadcast  address  for  network. 

Afil  1  As  1  \data 

Destination  address  1 1  Source  Address  1 1  Data. 

speriod 

Random  silent  period,  speriodmin  ^  speriod  <  speriodmax- 

^mini  ^max 

Minimum  and  maximum  speed  limits  for  a  node. 

Rmax 

Maximum  number  of  broadcast  repetitions. 

Tmax 

Maximum  waiting  period  for  an  ACK  or  a  reply. 

^^max 

Maximum  waiting  period  for  a  group  join  request. 

x\\y  or  {x,y) 

X  concatenated  to  y. 

{x} 

A  set  of  elements. 

/**  comment  **/ 

Comments  in  the  pseudocode. 

Public  and  private  key  pair  of  entity  x. 

^x,y 

Pairwise  symmetric  key  of  two  entities  x,  y. 

ka, 

Symmetric  key  of  group  Gj. 

c  =  Ek^  (m) 

Encryption  of  message  m  with  public  key  Kx- 

DkJc) 

Decryption  of  ciphertext  c  with  private  key  . 

EkA-},  DkA-} 

Encryption  and  Decryption  with  symmetric  key  kx. 

signi{m) 

Digital  signature  on  message  m  with  private  key  of  entity  i. 

h{m) 

Cryptographic  hash  of  a  message  m.  Also,  h'^(m)  =  n  >  2. 

Qi 

A  secret  quantity  of  node  i. 

